OSCP : TRY HARDER

I recently became OSCP and wanted to share my thoughts and experience. During my preparation, I’ve read tons of OSCP reviews and they helped me a lot in understanding where I stand and what should I expect from OSCP. So, I’ll share my version of OSCP review here, hoping to make your path easier.

INTRODUCTION:

Penetration Testing with Kali Linux (PWK) is the most popular course offered by Offensive Security which when completed and passing the exam, gives you the OSCP certificate. It has a very high regard in the information security industry. An OSCP, by definition, is able to identify existing vulnerabilities and execute organized attacks in a controlled and focused manner, write simple Bash or Python scripts, modify existing exploit code to their advantage, perform network pivoting and data ex-filtration, and compromise poorly written PHP web applications.

MY BACKGROUND:

I’m a random college kid studying computer science who enjoys hacking and networking. I started learning about information security 2 years back. Overall, I’d say I have relatively solid background experience for the OSCP but upon reviewing the course syllabus there were some topics completely new to me so I decided to prepare until I feel comfortable.

PREPARATION:

I started my OSCP preparation in April 2019, booked 60 days of lab in August 2019 and took my first exam attempt in September 2019. Keeping it short and simple, below is the timeline of my OSCP preparation:

April : From the syllabus I breakdown each section and start reading more and more articles for each section and bookmarked them for future reference. I also practiced on Hackthebox, VulnHub and PentesterAcademy. I also did penetration testing course by TheCyberMentor.

May : Did nothing, wasted whole month due to university exams. BAD DECISION.

June : When I came back home after exams in mid june, I lost track of where I was before but I’ve all the resources bookmarked as well as saved locally so it took me one week to revise them and then again I started doing VulnHub and HTB. I also did a cybrary course on python for security researchers, even though I was already familiar with python but it’s free and recommended by thecybermentor so why not :p

July : This was the most productive month, I bought HTB VIP and solved around 35 retired boxes and watched ippsec videos and read 0xdf write-ups. I highly recommend watching ippsec videos, I watched them more than once. He helped me in building a solid methodology like how to approach your target, what ports are important, how to use available information for exploitation and enumeration and much more. He helped me a lot in boosting up my learning process.

August : On 8 August 2019, I signed up for 2 months lab. Once you have registered yourself, it takes about 10 days for your course work to start. In these 10 days I practiced buffer overflow on vulnserver and brainpan.

I’ve created a list of all the resources and cheat-sheets I found helpful during preparation and labs. You can find it here:

sparshkulshrestha/OSCP-TRY-HARDER-

LABS:

Here comes the best part of OSCP and what makes OSCP much much better than other certifications. The labs are nicely designed to simulate a real corporate network where you have different departments and several machines across multiple networks behind a firewall and you have to compromise them. I spend 12–15 hours per day in labs and pwned ~40 machines including the tough ones in first 28 days. I used metasploit in few machines but re-rooted them manually later before exam.

Problems I faced in labs :

The main issue I faced in labs is windows. Make sure you’re comfortable with windows command line before getting enrolled. Also, most of the windows machines in OSCP labs doesn’t require privilege escalation but that’s not the case in exam. I practiced windows privilege escalation on HTB.

I scheduled my first exam attempt on 24 September. My plan was that if I fail, I will analyze my attempt and figure out my weak points and try to work on them before second attempt. I obviously didn’t want to fail.

THE EXAM :

NOTE: This part of this blog has been edited because it’s leaking too much info about exam. So don’t blame me if it doesn’t make sense to you.

The exam structure is a 24-hour exam with 5 victim hosts and then a second 24-hour period for you to compose and turn in your report. You will be allocated 6 machines, 5 Exam Machines and 1 Windows Test VM just like in the Labs — this VM will be your debugger for exploit writing. In order to pass you need to score 70/100 points, each machine having a different amount of points depending on it’sobjective.

My exam was scheduled to begin at 2:30 PM. I woke up around 11:30 AM with no intention of sleeping again until I have enough points to pass.

The first and most important step is to run enumeration for all machines in the background. I wrote a super simple python script to automate different nmap scans. 35 minutes after my initial start time, I finished my buffer overflow machine but for some reason my exploit worked on debugger machine but not on the actual machine. I reverted the box and it worked. Next one was a 10 points machine, After enumerating it properly I found something fishy and drill down that path to get root(or system). By 4:00 PM I had 35 points under my belt. After 1 hour, I got low privilege user shell on 20 points machine. I enumerated and found something, and got root by exploiting it. I then decided to took a 15 min break to clear my mind.

After break, I decided to approach the second 20 points machine. I got user on this box after 1 hour. User shell on that box was very tricky. I chained multiple vulnerabilities to get user shell. By 6:00 PM I had 65 points and just need 5 more points to pass. I enumerated the system, found something vulnerable, exploited it and got root(or system) within 45 minutes bringing me up to 75 points. At this point, I decided to take a 1 hour break before approaching final machine.

After 1 hour, I got back on my system and reviewed recon data of final machine. I got remote code execution on this box after modifying my exploit several times and got reverse shell few minutes later bringing me to 87.5 points. I enumerated the system internally for privilege escalation but could not find any misconfiguration. At this point, I make sure that I have all the screenshots for report and decided to terminate my VPN connection.

I would say that exam machines are similar to lab machines but with latest vulnerabilities and patched operating systems. All of my exam machines except the buffer overflow one was filled with rabbit holes.

I submitted my not so miserable report of 40 pages at 10:00 PM on 25 September and received confirmation email from Offensive Security that I passed few weeks later.

Some Random Tips:

1. Preparation is important. When I first started preparing for it I thought maybe I can do it in 90 days, later booked lab time of 60 days and did it in 30 days.
2. Make sure you have enough time to dedicate in labs. At least 8 hours each day. The more time you put in, the more you’ll learn from this course.
3. Do proper post exploitation on lab boxes. They contain information which is required later in labs.
4. Practice buffer overflow more than 10 times.
5. Try harder and never give up.